HIPAA Blog

[ Tuesday, November 05, 2013 ]

California Update (Happy News for Kaiser): California's Confidentiality of Medical Information Act requires California entities to protect medical information, and prohibits them from disclosing the information except in proper purposes. In a case I noted earlier, UCLA had an issue when a physician took home a portable hard drive, which was stolen from his house. The hard drive was encrypted, but the encryption key was on a sticky note stuck to the hard drive, so UCLA couldn't rely on the encryption. However, a California appeals court has ruled that the plaintiff must prove that the information was actually disclosed, not just lost.

This is good news for Sutter, which had a theft at one of its offices involving a desktop computer (believe it or not) with PHI on 4,000,000 people. Since CMIA allows for $1,000 statutory/nominal damages per person, that's a $4 Billion potential loss. However, unless the plaintiffs can prove that the PHI was discosed, not just lost, then the damages might not be there.